Moved to HTTPS

I’ve been complaining about “man in the middle” attacks brought on by internet service providers a bunch over the last year. The only way to keep uninvited third parties from injecting JavaScript and more—potentially screwing up your page—is to move to HTTPS. So, as much as it pains me to abandon good old fashioned HTTP, I’ve decided to lock things down a bit.

I was using Github to host my site as a Github page. It worked really well given this is a static site, but you can’t run Github-hosted sites under HTTPS unless you go with their *.github.io domain name (they have a wildcard certificate for that domain). There’s been a ton of interest in Github allowing custom cert installation, but no movement yet, so… onward!1

I opted to move to DigitalOcean since my consultancy recently relocated all of its sites there in a mass exodus from MediaTemple. Migrating the site was as simple as setting up the DigitalOcean server as a new “live” remote on my local git install and pushing it up there. Since it’s a static site, I didn’t have to worry too much about the server config. Apache is really great at hosting static files.

With the contents in place, I went through the rather convoluted process of getting SSL set up following the instructions from DigitalOcean. I opted for the free StartSSL certificate to begin with (a rather convoluted process, but we got there in the end) and then flipped the DNS records to point to the new box. Given that the StartSSL certificate needs to be renewed every 30 days, I may opt for a paid certificate in the not too distant future.

Once the DNS propagated, I had to go back and button up a few scripts that were requesting non-HTTPS content. I also had to tweak my Jekyll plugins and Rake tasks to include the legacy “http://” URLs when querying for webmentions and the like (since I didn’t want to lose those references). I also updated the Apache’s VirtualHost configuration for the non-secure site to make all traffic redirect:

Redirect permanent / https://www.aaron-gustafson.com/

All in all, it was a relatively painless migration. Admittedly, the initial re-build of the site (after updating the Rake tasks) did re-submit all of the webmentions I’d previously sent in order to provide the new address. If I referenced you a bunch in the past, I apologize for the flood of traffic, but it had to be done.

Anyway, so now this site is running under HTTPS. If you encounter any issues, please let me know. And if you want to read a really good account of migrating a site to HTTPS, you should definitely read Jeremy Keith’s step-by-step guide.


  1. It’s worth noting that the source of the site will remain on Github for the forseeable future. ↩︎


Shares

  1. Thierry

Comments

Note: These are comments exported from my old blog. Going forward, replies to my posts are only possible via webmentions.
  1. Philip Tellis

    I use StartSSL and my certs last for 1 year, not 30 days. Not sure what's different in your case.

    Also, you could front your site with CloudFlare to go full SSL for free.

    1. Aaron Gustafson

      I went for the freebee SSL cert through StartSSL and it seemed to indicate I would need to revalidate every 30 days. We'll see :-)

      CloudFlare was certainly an option, but the problem there was one problem in that CloudFlare's connection to GitHub would not be over SSL unless I made it to the github.io address. There were some issues with that approach, based on my research. I don't recall the links offhand, but that's why I opted to go right into setting up my own SSL.